Server hacked.. Maybe a new 0day

lol

Yep...how can you say you're secure when you do not use ssh keys? honestly..

If you disabled logins via passwords in SSHD and used keys then he/she won't have been able to gain access to SSH..

Ahwell it's a harsh reality but it might be a good idea to start using keys

 

Without SSH access the account is useless. There are a number of ways, you should check your websites haven't been infected with a shell script like c99. c99: http://shellci.biz/c99.txt.

 

What about WHM? Doesn't that allow root logins? Not sure if they function as root if not called root though?

 

I really don't want to distract from the original poster's question, how did they actually gain access in the first place?

(He says, running "useradd -m localhost; passwd -l localhost" on all his boxes ...)

 

So basically they had root or sudo axx to the adduser function to add there account anyways..

 

Yes, they had root somehow - although the unusual choice of username may not be a coincidence. Possibly they thought 'localhost' would go under the radar, so chose it for that reason; possibly the hack does that.

 

You still haven't figured out where they came in?

I suggest you track down their ip and start greping domlogs to find the original intrusion point.

 

I have to say, Chirpy's CSF with a modsecurity trigger of five is an excellent way to deter many of these attackers. Stick SSH on a very high port and fend off port scans and invalid logins with CSF as well.

I am interested in how he got in.

 

Hense why using SSH keys would fix this as they would not be able to try and bruteforce the password.. IF thats how they got in, you really should think about your passwords.

 

As I mentioned, CSF blocks brute forces rather quickly.

 

it's equally likely you are compromised on a personal level. look for trojans and keyloggers.

 

Hey there,

suPHP is not a failsafe at all, it's a container. The great thing about suPHP is it runs your scripts as the user who's directory you're in. The good thing about suPHP is it doesn't allow 7's or 6's across the board, doesn't allow nobody write-access.

The bad thing about suPHP is it doesn't STOP hacks from happening, at all. I'm not sure why you'd believe that either. It just limits the hacks infection to the user account. This still doesn't mean the hacker can't log in via shell or elevate privileges. As soon as a hacker has access to a c99 or r57, it's open territory to get in and hook in.

You have to understand here, in layering terms, you need to protect them all.

1. SSH Keys protect against password sniffing.
2. mod_sec rules are important as they close off openings in the scripts themselves.
3. suPHP is important because if mod_sec fails to catch something, suPHP will tie the hacker to a certain namespace.
4. SELinux or GRsec are important because they'll randomize the stack, so exploits for overflows don't go over so easily.

Another important point to think of is the host you use. I've known hackers that have rooted routers that are sniffed and tapped. This isn't paranoia, big brother exists. You don't believe it until you meet him.

If your other boxes aren't rooted, then consider yourself lucky. You may want to start pushing the buck a bit more and installing tripwire and/or AIDE for forensics, combined with a good port knocker to harden SSHd one step further.

Security starts with the security agent. Your practices are not fail-safe, they are fallible, ultimately. If it was a CentOS hole, my network would be crippled. We're all getting the same upstream packages. My net isn't though, so that leads me to believe you're running:

a) Something that's rootable;
b) Some non-conventional software;
c) Your bastion/home-base is tapped.

A good hacker... and they do exist, will NOT leave obvious traces. If they do, they are kiddies. That's for sure. You may be dealing with the former... though I still believe you're dealing with the latter.

Start a remote syslogd as well, for fun, to see what's going on. If that guy gained elevation, then his logs are gone, and your best bet is domlogs to see if they C99'd you. Scan for .txt files, they usually are .txt, generally.

Regards,